High Severity
BEC with unusual Reply-to or Return-path mismatch
Description
Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Aug 27th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "advance_fee") and .confidence == "high"
)
and (
headers.return_path.domain.root_domain in $free_email_providers
or (
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain in $free_email_providers
)
)
)
and (
(
sender.email.domain.root_domain == "paypal.com"
and (
not headers.auth_summary.dmarc.pass
or headers.auth_summary.dmarc.pass is null
)
)
or sender.email.domain.root_domain is null
or sender.email.domain.root_domain != "paypal.com"
)
and sender.email.domain.root_domain not in $free_email_providers
// negate gmail autoforwards and null return paths
and (
headers.return_path.email is null
or not strings.ilike(headers.return_path.local_part, "*+caf_=*")
)
// negate listservs
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
and strings.contains(sender.display_name, "via")
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
Playground
Test against your own EMLs or sample data.